Cyber Security Terms and Definitions – Part 2

20111201 cyberThe list below is a continuation of the series Cyber Security Terms and Definitions. Some of the terms you may have heard or probably will hear sometime in the near future.

I am not sure how many of these I need to do past this point because it can get into some areas that you will probably not run into. If you have terms or topics you want to take a deeper dive into, let me know and either I will answer it or have some of the cyber security experts I know post response to it.

Blacklist – This is a list of known bad sites and/or IP addresses. For instance, once a point of origin has been identified as a source of SPAM email, this site/IP is put into a blacklist. There are subscription services that have a broad list of blacklisted sites/IPs that you can add into you security profile, but it can also be sites/IPs that you have identified and put into your firewalls.

I have also run into to situations where a site legitimate site/IP has ended up in a blacklist simply because the blacklist service could not confirm it was a good site/IP.

Whitelist – This can be tricky… Unlike the blacklist where you leave yourself open to allow anything that is not on the blacklist, the whitelist approach says I will not allow anything unless it is on the whitelist. If you setup your security scheme this way, it will increase your IT maintenance time because every time someone needs to go to a site/IP that is not on the list it must be added by hand, one at time. It is safer, but is more time consuming.

Phishing – Whether you realize it or not, you have probably already been a victim of a phishing attack. Most of us remember the Uganda (I think Uganda… could have been Ethiopia… I digress) email that said all you need to do was put $1,000 in a bank account and you would magically get, oh I don’t know, $100,000 for your time and trouble. This was a form of phishing.

Phishing today is much more sophisticated. You might receive an email saying “AT&T – (“Your Online Bill is Ready”). If you click it could take you to a site that even looks like AT&T. The link that you see may be “AT&T Bill”, the URL (web address) that you don’t see may be something like http://att.billing.biz. The site would ask you to enter your account name and password to review your bill. If you do this, they now have your AT&T credentials. Another thing that might happen by clicking the link is a malicious program could be installed on your machine to log your keystrokes. There other things that might occur, but suffice it to say if you get an email and you are not 100% sure of its point of origin, delete or forward to your IT staff for review.

You can also do some investigating yourself. In the example above the link was “AT&T Bill”. If you hover over the link (DO NOT CLICK) a pop up will show you the web address it is pointing to. If it has http://www.att.com or http://www.att.net, it is legit. If it is any other address… DELETE IT!

Spear Phishing – Spear phishing is aimed at specific people and/or group of people where plain ole phishing is mass emailing with no particular target to snare anyone who clicks the link.

This type of attack is well thought out and planned. The spear phisher will learn as much as they can about you and/or your company so that when they craft their email is has a high degree of legitimacy and familiarity to the recipient. The agenda for this type of attack may be to pierce a company’s firewall to gain access to specific information that you and/or company possess. Once in, this “hole” in your firewall will probably remain undetected for days, weeks, or months allowing the bad guys to come and go as they please.

Pharming – This is a website that is designed to appear legit in order to get you to enter sensitive information such as passwords, account numbers, Social Security numbers, etc. This more than likely the site that a phishing email will take you to if you click it.

Social Engineering – A psychological attack used by cyber attackers to deceive their victims into taking an action that will place the victim at risk. For example, cyber attackers may trick you into revealing your password or fool you into installing malicious software on your computer. They often do this by pretending to be someone you know or trust, such as a bank, company or even a friend.

Spoofing – I mentioned in Phishing above that you may see “AT&T Bill” when in reality the web address was something like http://att.billing.biz. This is a form of spoofing. In other words this is a message that appears to have a legitimate point of origin, but in reality does not.

Spoofing can also occur in text and phone calls. Text can appear to come from a legitimate source such as a friend of yours. The same applies to phone calls.

Cyberspace – Hmmm…? This could go in several directions.

If you look online you can get a lot of explanations which basically mean about the same thing. If you want a definition… Merriam Webster doesn’t give you a lot to go on. According MW, they say this is the Full Definition of CYBER SPACE…“the online world of computer networks and especially the Internet”.

I’m just going to say if something is connected and remotely available, it is in cyberspace. Therefore, cyberspace is a virtual environment that connected devices live in.

Encryption – This one can get deep, but we won’t go there. Basically what this means when data (email, user credentials, etc.) leaves the source to travel over the web, it is in a “cocoon” of sorts and the receiver of the information has a “key” to unlock the cocoon to see what is in it.

Just for fun I asked www. Merriam-Webster.com what she said and this is what I got… “encrypt: to change (information) from one form to another especially to hide its meaning.

Exploit – In some respects it is what it is. What I mean is the application of the word is the same whether you are talking about people or things. The technical explanation in cyberland is code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system or to provide unauthorized access to affected data or application.

Malware (Virus, Worm, Trojan, Spyware) – The explanation of this term best described by SANS/Securing the Human (http://www.securingthehuman.org/resources/security-terms).

Malware stands for ‘malicious software’. It is any type of code or program cyber attackers use to perform malicious actions. Traditionally there have been different types of malware based on their capabilities and means of propagation, as we have listed below. However these technical distinctions are no longer relevant as modern malware combines the characteristics from each of these in a single program.

  • Virus: A type of malware that spreads by infecting other files, rather than existing in a standalone manner. Viruses often, though not always, usually spread through human interaction, such as opening an infected file or application.)
  • Worm: A type of malware that can propagate automatically, typically without requiring any human interaction for it to spread. Worms often spread across networks, though can also infect systems through other means, such as USB keys. An example of a worm is Conficker, which infected millions of computer systems starting in 2008 and is still active today.
  • Conficker: The origin of the name Conficker is thought to be a combination of the English term “configure” and the German pejorative term Ficker.[12] Microsoft analyst Joshua Phillips gives an alternate interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz[13] (with the letter k, not found in the domain name, added as in “trafficker”, to avoid a “soft” c sound) which was used by early versions of Conficker to download updates. (ref – https://en.wikipedia.org/wiki/Conficker).
  • Trojan: A shortened form of “Trojan Horse”, this type of malware appears to have a legitimate or at least benign use, but masks a hidden sinister function. For example, you may download and install a free screensaver which actually works well as a screensaver. But that software could also be malicious, it will infect your computer once you install it.
  • Spyware: A type of malware that is designed to spy on the victim’s activities, capturing sensitive data such as the person’s passwords, online shopping, and screen contents. One popular type of spyware, a keylogger, is optimized for logging the victim’s keyboard activity and transmitting the captured information to the remote attacker.

If you have comments or questions feel free to post them here or contact me directly at fred.gordy@smartcore.com

Wearable Technology in the HVAC Industry: Just Around the Bend. Explore the World of AWE

Wearable-technology(Photo Credit: procore.com blog) While an increasing concerted effort to grow the HVAC industry young is under way, the need for immediate competent presence (ICP) won’t let HVAC wait. Wearable technology, especially Smart Glasses adapted for the HVAC/Systems Integration markets, may extend the existing talent pool well enough to serve as the necessary interim measure.

The sheer scarcity of human resources available and the relatively long learning curve and apprentice phase needed to provide unassisted smart HVAC services requires the use of wearable HVAC-oriented technology as soon as it becomes available. Customers will expect the use of wearable technology solutions to ensure that their needs are being met. And as the favorable shift of economic, social, and technological forces continue to reduce the barriers of entry, imminent use of wearable technology in the HVAC industry, is just around the bend.

aweAugmented World ExpoTM (AWE) is the world’s largest conference and expo for professionals focused on making the world more interactive – featuring technologies such as Augmented Reality, Wearable Computing, Smart Glasses, Gesture and Sensors devices, and The Internet of Things.

Now in its 6th year, AWE is again assembling the top innovators – from the hottest startups to Fortune 500 – to showcase the best augmented world experiences in all aspects of life and work: from entertainment and brand engagement, to enterprise and industrial, urban and architecture, education and training, automotive and navigation, government, and commerce.
AWE 2014 was the largest ever exposition of Augmented Reality and Wearable Technology with over 200 demos, 150 speakers, and nearly 2000 attendees!

AWE 2015 is poised to set a new record and draw 3000 attendees from all over the world: a mix of CEOs, CTOs, designers, developers, creative agencies, futurists, analysts, investors, and top press – and offer a fantastic opportunity to learn, inspire, partner, and experience first hand the most exciting industry of our times.

Trane Engineers Newsletter Live: Applying Variable Refrigerant Flow

trane_logo During our most recent ControlTalk NOW, we discussed the future impact the Variable Refrigerant Flow technology is likely to make in our HVAC industry, and how it may effect the after-market sales of today’s HVAC controls distributor. During our search for more relevant information, we came across this informative “Trane Engineers Newsletter Live: Applying Variable Refrigerant Flow” post on You Tube. This outstanding 88 minute video tells the whole VRF story. Published on September 30, 2014, this program presented by Trane applications engineers is a comprehensive discussion about some of the challenges when applying a VRF system — such as complying with ASHRAE Standards 15 and 90.1, meeting the ventilation requirements of ASHRAE Standard.

Caution: Disruption Ahead! Data Sent to Cloud (Not to BMS) — Daikin Applied Intelligent Equipment

daikinThe Daikin-Intel disruption bell tolled rather loudly and clearly at the June 2014 Realcom/IBcon show in Las Vegas. Daikin, one of the world’s largest and most progressive equipment manufacturers, had already rolled out their Rebel Rooftop line, which put them in the pole position (kinda), because merging equipment and controls by utilizing the potency of IoT and new disruptive technology is great and does offer additional value to Daikin’s customers.

Daikin Applied Executive VP, Kevin Facinelli’s video says it all! Yet, for the savvy controls contractor or systems integrator, this poses a challenge. Daikin’s equipment brings intercommunication between equipment, building integration, and the benefits of cloud analytics — via Intel’s Intelligent Gateway — that really seems to do it all, and securely. But! The data (and integration business) doesn’t go through the building BMS network. Hmm, comments, please.

Additional Info: The Intelligent Equipment solution provides building owners the ability to have 24/7 real-time access to the building information and manage operations in a way that was previously unattainable. Daikin Applied products can automatically inform a support organization before they break down so customer service can move from a reactive to a preventative service model.

The Intelligent Equipment solution allows building owners, managers and technicians to have access to the same building information, on the same platform. This capability provides the opportunity for the key members in building management to coordinate their efforts at a higher level.

Ken Sinclair’s January 2015 Edition of Automated Buildings: Auto’s Autodidacticism

automatedbuildings Another great edition of Automated Buildings is now available! The January, 2015 edition introduces AB’s editor Ken Sinclair’s critical evaluation on how self-learning is rapidly becoming such a necessary and essential tool for the HVAC. In 2011, Seth Godin declared that the internet freed us all from the tyranny of being selected. That it was time to select yourself. We are seeing this self-selection tenet in full motion and experiencing the impact that self-selection has already had on many industries — that have lost their once inalienable gate-keeper rights, with the music industry’s barriers falling the hardest and the fastest. Ken Sinclair proposes, on a very serious upbeat, that IoT will benefically accelerate the “Autodidacticism” or self-education within our HVAC industry and how future IoT tools may be the solutions needed to capture and preserve HVAC knowledge and experience for those willing, and driven by necessity, to teach themselves.

Ken says he likes the word “autodidacticism” because, “I love that this word contains these three words Auto…… Did…… and Act. This provides us an easy way to remember this unusual word that is becoming our future.” Anyone who know Ken well enough, knows that Auto is his nickname. Now, that’s some interesting coincidence.

The January, 2015, edition of automatedbuildings.com is a great read, full of industry insight from the likes of Jim Sinopoli, John Petze, Therese Sullivan, and many others — as well as the earnest encouragement to attend the free education sessions planned at AHR Expo 2015 in Chicago. It is a great way to keep up with, and on top of, the growing theme of self-education. Please drop in and join us.

CTN’S Smart Building Tip of the Week: Accruent’s Facility 360 — Become a Driver of Success

accruent Convert your facility from a cost center to a strategic contributor. Great information from Accruent on how facilities management teams can play a more strategic role in organizations.

7 Ways to Save Time, Costs, and Energy: Download White Paper.

In a world where you must find ways to “do more with less,” finding ways to cut costs can be challenging – and time consuming.

Here at Accruent, we know your time is short in supply and high on demand. That’s why we recommend ONE thing you can do in just 15 minutes to transform your facilities: read this white paper and learn seven easy ways to transform your facilities department into a strategic driver for success.

With the right software partner and processes in place, you can cut your maintenance costs by 35%. You can reduce the time spent scheduling and managing preventive maintenance procedures by 40%, not to mention cut the time required to enter PM work orders by 85%.

Automated Building’s December Theme: “Creating Your Collaboration”

automatedbuildings Special note from Ken Sinclair: The December issue is Automated Buildings’ AHRExpo 2015 Chicago preview. Editorial excerpt: “Our December theme ‘Creating your Collaboration’ started with my puzzling with the process of how industry knowledge gets past on. AHRExpo is the annual event where we present our free education sessions to the industry. This is our 16th year of presenting these sessions and hosting the third annual Connection Community Collaboratory meeting. Online Collaboration is how today’s education occurs.

Education is not an affair of “telling and being told” but an active process; I am a poor presenter but a good connector of concepts and resources for the active process. As a connector of concepts and resources I need to be questioned by those seeking knowledge to be of use. My value is not the knowledge that I can share, but the knowledge I can connect folks to so they can self-teach themselves their way. I am but a catalyst in the process of learning.

I am still struggling with the best way to transfer the industry dumps of information to incoming practitioners of our industry. We came to call this “The Dinosaur Dump” when we dropped 20 to 30 years of industry experience on some poor incoming practitioners who did not even ask one question…..smile.” Read complete editorial!

First Hack was in 1903: Wikipedia’s Timeline of Computer Security Hacker History

Dot-DashAccording to Wikipedia (in the midst of a donation drive), the origins of Cyber-attacks can be traced back to the first “hacking,” which took place in 1903 “when magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming’s public demonstration of Guglielmo Marconi’s purportedly secure wireless telegraphy technology, sending insulting Morse code messages through the auditorium’s projector.” Maskelyne’s motives were twofold: first, to disprove Marconi’s boasts about a secure transmission, and second, a mild revenge motive brought on by Marconi’s broad patents and wealth. which were stifling Maskelyne’s own genius ambitions.

Bitcoin_logo.svgWikipedia’s final timeline entry is February 7, 2014: Bitcoin exchange Mt.Gox filed for bankruptcy after $460 million was apparently stolen by hackers due to “weaknesses in [their] system” and another $27.4 million went missing from its bank accounts.

Excerpted from: NewScientist. “In 1903, Marconi claimed that his wireless messages could be sent privately over great distances. “I can tune my instruments so that no other instrument that is not similarly tuned can tap my messages,” Marconi boasted to London’s St James Gazette in February 1903.

That things would not go smoothly for Marconi and Fleming at the Royal Institution that day in June was soon apparent. Minutes before Fleming was due to receive Marconi’s Morse messages from Cornwall, the hush was broken by a rhythmic ticking noise sputtering from the theatre’s brass projection lantern, used to display the lecturer’s slides. To the untrained ear, it sounded like a projector on the blink. But Arthur Blok, Fleming’s assistant, quickly recognised the tippity-tap of a human hand keying a message in Morse. Someone, Blok reasoned, was beaming powerful wireless pulses into the theatre and they were strong enough to interfere with the projector’s electric arc discharge lamp.

Mentally decoding the missive, Blok realised it was spelling one facetious word, over and over: “Rats”. A glance at the output of the nearby Morse printer confirmed this. The incoming Morse then got more personal, mocking Marconi: “There was a young fellow of Italy, who diddled the public quite prettily,” it trilled. Further rude epithets – apposite lines from Shakespeare – followed.

The stream of invective ceased moments before Marconi’s signals from Poldhu arrived. The demo continued, but the damage was done: if somebody could intrude on the wireless frequency in such a way, it was clearly nowhere near as secure as Marconi claimed. And it was likely that they could eavesdrop on supposedly private messages too.

Marconi would have been peeved, to say the least, but he did not respond directly to the insults in public. He had no truck with sceptics and naysayers: “I will not demonstrate to any man who throws doubt upon the system,” he said at the time. Fleming, however, fired off a fuming letter to The Times of London. He dubbed the hack “scientific hooliganism”, and “an outrage against the traditions of the Royal Institution”. He asked the newspaper’s readers to help him find the culprit.

He didn’t have to wait long. Four days later a gleeful letter confessing to the hack was printed by The Times. The writer justified his actions on the grounds of the security holes it revealed for the public good. Its author was Nevil Maskelyne, a mustachioed 39-year-old British music hall magician. Maskelyne came from an inventive family – his father came up with the coin-activated “spend-a-penny” locks in pay toilets. Maskelyne, however, was more interested in wireless technology, so taught himself the principles. He would use Morse code in “mind-reading” magic tricks to secretly communicate with a stooge. He worked out how to use a spark-gap transmitter to remotely ignite gunpowder. And in 1900, Maskelyne sent wireless messages between a ground station and a balloon 10 miles away. But, as author Sungook Hong relates in the book Wireless, his ambitions were frustrated by Marconi’s broad patents, leaving him embittered towards the Italian. Maskelyne would soon find a way to vent his spleen.”

Read more!

We Need to Talk: Intel’s MICA — My Intelligent Communications Accessory

MICA_NEARMEOkay, this version is a limited featured, fashion accessory for stylish women, but a few beefed-up wearable siblings, with shock-proof and waterproof features, can’t be far behind. This is the CONTEXTUALIZATION PRINCIPAL’s best example so far — that has figured out, “INTELigently,” how to claim enough wearable body real estate without significant negative consequence, and takes the lead as the Star-Trecky IoT game-changer that will link every aspect of your life to a connected device worn on your wrist. Get your VISAs out, it’ll probably be ready for your holiday purchases. Read more on Intel’s website!

Niagara Analytics Framework Webinars! Register Now for Information and Demo!!

TridiumNIAGARA ANALYTICS FRAMEWORK WEBINARS! Be sure to register for more information and a demo!

Tridium’s new data analytics platform has all of the appealing hallmarks of the truly open Niagara Framework®, enabling you to leverage its power to transform data into actionable information. It combines a historical perspective with real-time insight, moving you from a reactive response to a more powerful proactive position. It’s easy to use and requires no specialized programming skills, yet it gives you advanced analytics.

Register for one of our informational webinars that will feature a demo:

Tuesday, Nov. 18, at 11 a.m., Eastern

Wednesday, Nov. 19, at 2 p.m., Eastern

Monday, Nov. 24, at 11 a.m., Eastern

Tuesday, Nov. 25, at 2 p.m., Eastern

Tuesday, Dec. 2, at 11 a.m., Eastern

Thursday, Dec. 4, at 2 p.m., Eastern

We invite those of you who haven’t done so already to visit the Niagara Analytics Framework website to join our Early Adopter Program, which is filling fast. Be among the first to experience the power of this new product. Early adopters receive:

Niagara Analytics Framework certification training for one person; One Niagara Analytics starter license; Invitation to participate in a monthly contest in 2015 for visibility within the Niagara community, recognition at the 2016 Niagara Summit and the opportunity to win a grand prize.

Space is reserved for the first 200 eligible participants who join before the November 21 deadline.

JOIN TODAY